Data Protection Rights

 

Ghana’s Data Protection Act, 2012 (Act 843) provides individuals (customers/clients, employees/staff, patients, students, congregants, members, etc) more control over how government institutions, businesses, associations, schools, churches, and private enterprises process their personal data. 

This article serves two purposes: to bring to the attention of

1. The individual (data subject):the knowledge of the rights granted to him/her by Act 843, when and how to exercise these rights to their benefit.
2. The organization: the individuals’ rights provisions under the Act 843, know how and when to respond to an individual exercising any of these rights.

Unfortunately, your right to data protection is not absolute. It must always be balanced against other values, fundamental rights, human rights, or public and private interests and there may be circumstances under which an organisation may have grounds to refuse to grant an individual’s request to exercise their data protection rights. There are certain limitations contained within the data protection rights set out under Act 843. For example, your right to access your data should not adversely affect the rights and freedoms of others. Certain data protection rights only apply in certain circumstances. The right to erasure (Right to be forgotten), for instance, only applies under certain conditions, such as the personal data is no longer being required for the purpose it was collected. 

The Act allows for further restrictions on data protection rights in other Ghanaian national laws such as other Acts, Legislative Instruments, regulatory directives, etc. Nonetheless, these restrictions must comply with certain strict requirements, respect the essence of the fundamental rights and freedoms of individuals, and be necessary and proportionate to safeguard certain objectives of larger Ghanaian society or general public interest. Some of the restrictions contained in Act 843 relate to processing carried out for taxation purposes or matters on national security, public health or the exercise or defence of legal claims, and personal data relating to an opinion given in confidence.

Organizations are required by law to respond to your requests (for access to your information or rectification of your personal data) within twenty-one (21) days, even if they believe they have grounds to refuse it [Section 39(2)]. Where an organisation refuses or partly refuses your request, their response must set out clearly which limitation or restriction they are relying on to refuse to act on the request, their reasons for not taking action, and informing you of the possibility of lodging a complaint with the Data Protection Commission (DPC) or seeking a judicial remedy.

Every Ghanaian citizen or the data subject is entitled to have their personal information protected, used in a fair and appropriate legal way, and made available to them when they request a copy. If an individual identifies that their personal information is wrong, they are entitled to ask for the correction of such information. Act 843 protects people (data subjects) against unnecessary data collection, use of data in unanticipated ways, and biased algorithmic decision-making. 

We are undoubtedly in the digital age and personal data is at the core of most digitisation initiatives and processing activities. Our personal data is intrinsically linked to our private life. Our online activities are dotted with digital traces that can reveal intimate details of our thoughts, beliefs, movements, associates, and activities. Such data must be processed fairly for specified purposes and based on the consent of the person concerned, or some other legitimate legal basis established. Everyone has the right of access to data that has been collected concerning him or her, and the right to have it rectified.

The rights granted by Act 843 include the following:

Right 1: The right to be informed [Section 23 and 27]

One of the principles of data protection legislation is transparency, with one of the data protection rights being the right to be informed. This means that organisations that collect/receive personal data must clearly and fully inform the individuals concerned, normally at the point when personal data is being collected, how their personal data will be used. This is called ‘Privacy Information’ and it is normally presented in a privacy notice. There are a few circumstances when organisations do not need to provide people with a privacy notice, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

Right 2: The right to give and withdraw consent [Section 20]

Consent is one of the legal bases for which your personal data can be processed. Consent must be a “freely given, specific, informed and unambiguous indication” via a statement or clear affirmative action, that you agree to the processing of your data. When you give consent, you give the organization (the data controller) the right to process your personal data. 

You can withdraw your consent after you have given it. However, your right to withdraw (revoke) your consent is only applicable when the processing of your data is based on consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Before giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Right 3: The right of access [Section 35]

The right of access, also referred to as subject access or a Subject Access Request (SAR) or Data Subject Access Request (DSAR), gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why an organisation is using their personal data, and to understand if that use is lawful. Organizations should note that individuals (data subjects) can make SARs verbally or in writing, including via social media, contact forms, emails, and postal addresses connected with the organizations. 

An organization (a data controller) shall comply with SAR promptly and in any event within forty (40) days from the date of receipt of the request where other people’s data might be included. The organization is required to perform a reasonable search for the requested information and should provide the information in an accessible, concise, and intelligible format. The information should be disclosed securely. The organization can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.

Right 4: The right to rectification [Section 33(1)(a)]

If personal data is inaccurate, out of date, or incomplete, individuals have the right to correct, update, or completion of that data. Collectively, this is referred to as the right to rectification. Rectification may involve filling the gaps i.e., having incomplete personal data completed – although this will depend on the purposes for the processing. 

This may involve adding a supplementary statement to the incomplete data to highlight any inaccuracy or claim thereof. This right only applies to an individual’s own personal data; a person cannot seek the rectification of another person’s information unless the individual is a minor or the requestor is acting in a legal capacity or mandated by law. 

Right 5: The right to erasure (Right to be forgotten) [Section 33(1)(b)]

In certain circumstances, people can ask for their personal data to be deleted or erased from the records held by organisations. However, this is a qualified right; it is not absolute and may only apply in certain circumstances.

Data subjects have the right to the erasure of personal data on any of the following grounds:

• The data are no longer necessary concerning the purposes for which they were collected or otherwise processed.
• The data subject withdraws the consent on which the processing is based and where there is no other legal ground for the processing.
• The data subject objects to the processing and there are no overriding legitimate grounds for the processing.
• The personal data have been unlawfully processed.
• The personal data must be erased for compliance with a statutory duty. 

Right 6: The right to prevent processing for direct marketing [Section 40]

Individuals have an absolute right to prevent an organisation from using their personal data for direct marketing – in broad terms, this means promoting an organisation aims and objectives and trying to sell things. Once such an objection is raised, the use of personal data for direct marketing purposes must stop. Direct marketing includes the communication by whatever means of any advertising or marketing material that is directed to particular individuals. An organization shall not provide, use, obtain, procure, or provide information related to a data subject for direct marketing without the prior written consent of the data subject.

Right 7: The right to object [Section 20(2), (3), 39, 40, 41]

Act 843 gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent an organization from processing their personal data. An objection may be about all the personal data the organization holds about the individual or only to certain information. It may also only relate to a particular purpose the data is being processed for. When the organization agrees to an objection, it must stop using the personal data for that purpose unless it can give strong and legitimate reasons to continue to make use of the data, despite the objections raised. 

Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, you are permitted to store the personal data, but not use it. An individual can request restrictions verbally or in writing. This means that an individual can limit the way that an organisation uses their personal data. This is an alternative to requesting the erasure of their data. If the right to restrict processing is available and applied, then the organization can continue to retain/store personal data, however, no other use of the data can be made until the restriction is lifted. 

The data subject shall have the right to object to or prevent the processing of personal data under the following conditions:

• for a specified purpose or manner [Section 39]
• direct marketing [Section 40]
• by automated decision-making (including profiling) [Section 41]
• processing for scientific or historical purposes.

Because this is a qualified right, there are exceptions that the organization can fall on to continue to process the data if the organization can demonstrate compelling legitimate grounds for the processing, that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

Right 8: Rights to automated decision making and profiling 

Individuals have the right to object to automatic decision-making and profiling. You have the right to not be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you. 

Automated processing is permitted only with your express consent, when necessary for the performance of a contract, or when authorised by law. Where one of these exceptions applies, suitable measures must be in place to safeguard your rights, freedoms, and legitimate interests. This may include the right to obtain human intervention on the controller’s part, the right to present your point of view, and the right to challenge the decision.

An organization can only carry out solely automated decision-making with legal or similarly significant effects if the decision is:

• necessary for entering or performing a contract between an organisation and the individual
• authorised by law (for example, for fraud or tax evasion) or
• based on the individual’s explicit consent.

Where automated processing relates to the special categories of personal data, the processing is only lawful where the individual has given his/her express consent to the processing, or where it is necessary for reasons of substantial public interest.

Right 9: Right to complain [Section 41]

An individual (data subject) has the right to complain about an issue or issues that relate to the processing of their personal data. The complaint could be lodged directly with the data controller, data processor, or with the Data Protection Commission (DPC) - which is the supervisory authority in Ghana - where necessary. The complaint must be in writing. However, the practice is that the individual first lodge the complaint with the organization (the data controller). 

If the issue is not addressed to the satisfaction of the individual, then it can be escalated to the Data Protection Commission for redress. When a complaint has been lodged, the data controller must respond to the data subject, if it is going to comply with the request or not, and why, notify the data subject of actions taken or being taken to comply, and provide evidence of any decision taken. 

Right 10: Right to compensation [Section 43(1)]

Where an individual suffers damage or distress through the contravention by a data controller of the requirements of Act 843, that individual is entitled to compensation from the data controller for the damage or distress. The damages suffered could be material or non-material. 

How long will it take?

When an individual’s request to exercise their rights is made, the data controller must:

1. Provide information on action taken "without undue delay"
2. In any event, within twenty-one (21) working days of receipt of the request
3. The twenty-one (21) working days period may be extended to forty (40) working days, where necessary, considering the complexity and number of requests
4. In this case, the data controller shall inform the data subject of any extension within the twenty-one (21) working days of receiving the request and explain the reasons for the delay
5. If the data controller does not act on the request of the data subject, the data subject must be informed without delay and, at the latest, within the twenty-one (21) working days of receipt of the request of:

• the reasons for not taking action
• the possibility of lodging a complaint with the Data Protection Commission and seeking a judicial remedy (through the courts).

 Author: Emmanuel K. Gadasu

(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)

For comments, contact author ekgadasu@gmail.com or Mobile: +233-243913077

Source: www.iipgh.org

Privacy Impact Assessment

… why it is important for organizations

Privacy Impact Assessment (PIA) is a tool for measuring compliance, identifying, and minimizing privacy-related risks, and demonstrating accountability. PIAs are conducted to safeguard the rights and freedoms of individuals in developing new products and services or undertaking any other initiatives that involve the processing of personal data. The objective of PIAs is to systematically identify the risks that the planned initiative poses to privacy and personal data, as well as to examine and evaluate alternative ways for data processing to mitigate these potential risks.

A PIA enables an organization to carefully analyze how a particular project, program, process, or system will affect the privacy of the individuals (data subjects) involved. The purpose of the PIA is to ensure that identified privacy risks are minimized–eliminated where possible - while allowing the objectives of the project to be met. Risk assessments, when done properly, can lead to the early identification of risk, which can be addressed at the early stages by analyzing how the proposed uses of personal information and technology will work in practice. This analysis can be performed by consulting with the stakeholders–the people who will be working on, or affected by, the project, program, process, or system. A PIA will help ensure that an organization is taking a proportionate approach or measures to the use of personal data. It requires organizations to identify why a project, program, process, or system is necessary and what it is aiming to achieve. It will then help to achieve these aims without a disproportionate impact on privacy.

A PIA is not a legal requirement by most data protection or data privacy regulations–not even the mother of data protection (GDPR). However, conducting a PIA ensures compliance with laws and regulations governing privacy and demonstrates the organization’s commitment to protecting the privacy of any personal information they collect, store, retrieve, use, and share. It is a comprehensive analysis of how the organization’s IT systems or applications process personal data. 

PIA demonstrates that program managers and system owners in the organization have consciously incorporated privacy protections throughout the development life cycle of a system or program. PIAs allow an organization to communicate more clearly with the public about how they handle information, including how they address privacy concerns and safeguard information. Ideally, PIAs are supposed to be a public document shared or posted on the organization’s website upon completion. PIAs should be conducted in plain language and in a manner that allows the public to understand the activities of the organization. Ideally, and as a good practice, PIAs should be reviewed annually to ensure they are accurate, up-to-date, and relevant.

Carrying out a PIA does not need to be complex or time-consuming. However, thoroughness is necessary to ensure that potential privacy risks are identified and mitigated. The complexity of a PIA, and resulting documentation, will depend on the complexity of the project. The PIA process should be suitable for the needs of the project and your institution.

PIA also significantly benefits the organization - facilitating communication and collaboration between the different stakeholders–those impacted and affected. Identifying risks to privacy and data protection is not always easy, but it is certainly worth all the efforts, costs, and resources. A thoroughly conducted PIA provides the organization with greater control over the daily business processes and enables it to make informed decisions regarding the new initiatives. Privacy does not prevent cool things from happening, but it ensures that things are in the right way as mandated by laws or regulations and as one would reasonably expect

Privacy risks or impacts fall into two broad categories:

• Risks to individuals: This includes identity theft and other forms of fraud, adverse impact on employment or business opportunities, damage to reputation, embarrassment, distress, or financial impacts.
• Risks to institutions: This includes the financial, legal, and reputational impact of privacy breaches and the consequences of violating privacy laws and regulations

 Do you need a PIA?

The Office of the Privacy Commissioner of Canada has developed a great assessment flowchart that could help to determine if an organization needs to do a PIA or not. This flowchart can be found below.

Risks of not undertaking a PIA include:

• non-compliance with the letter or the spirit of relevant privacy laws or regulations, potentially leading to a privacy breach and/or negative publicity
• loss of credibility by the entity through lack of transparency in response to public concern about handling personal information
• damage to an entity’s reputation if the project fails to meet expectations about how personal information will be protected
• identification of privacy risks at a late stage in the project development or implementation, resulting in unnecessary costs or inadequate solutions

 Potential benefits of undertaking a PIA include:

• ensuring that the project is compliant with privacy laws and regulations
• reflecting community values around privacy and personal information in the project design
• reducing future costs in management time, legal expenses, and potential negative publicity, by considering privacy issues early in a project
• identifying strategies to achieve the project’s goals without impacting on privacy
• demonstrating to stakeholders that the project has been designed with privacy in mind
• promoting awareness and understanding of privacy issues inside the organization
• contributing to broader organizational risk management processes
• building community awareness and acceptance of the project through public consultation

A PIA may also assist an entity to demonstrate its compliance with its privacy obligations and its approach to managing privacy risk in the case of a future complaint, privacy assessment or investigation relating to the privacy aspects of a project.

Risks of not undertaking a PIA include:

• non-compliance with the letter or the spirit of relevant privacy laws or regulations, potentially leading to a privacy breach and/or negative publicity
• loss of credibility by the entity through lack of transparency in response to public concern about handling personal information
• damage to an entity’s reputation if the project cannot meet expectations about how personal information will be protected
• identification of privacy risks at a late stage in the project development or implementation, resulting in unnecessary costs or inadequate solutions

 Potential benefits of undertaking a PIA include:

• ensuring that the project complies with privacy laws and regulations
• reflecting community values around privacy and personal information in the project design
• reducing future costs in management time, legal expenses, and potential negative publicity, by considering privacy issues early in a project
• identifying strategies to achieve the project’s goals without impacting privacy
• demonstrating to stakeholders that the project has been designed with privacy in mind
• promoting awareness and understanding of privacy issues inside the organization
• contributing to broader organizational risk management processes
• building community awareness and acceptance of the project through public consultation.

A PIA may also assist an entity to demonstrate its compliance with its privacy obligations and its approach to managing privacy risk in the case of a future complaint, privacy assessment, or investigation relating to the privacy aspects of a project.

Author: Emmanuel K. Gadasu – CIPM, CDPS, CEH, CHFI

(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)

 

For comments, contact author  ekgadasu@gmail.com  or Mobile: +233-243913077

Source: www.iipgh.org